Viewing Capture ATP Status

Transcription

1 Capture ATP Viewing Capture ATP Status Configuring Capture ATP Viewing Capture ATP Status Capture ATP > Status About the Chart About the Log Table Uploading a File for Analysis Viewing Threat Reports Capture ATP > Status IMPORTANT: Capture Advanced Threat Protection (ATP) is an add-on security service to the firewall, similar to Gateway Anti-Virus (GAV), that helps a firewall identify whether a file is malicious. Capture ATP is supported on all SuperMassive, NSA, and TZ600 and TZ500/TZ500W appliances running SonicOS or higher. Before you can enable Capture ATP you must first get a license, and you must enable the Gateway Anti-Virus (GAV) and Cloud Anti-Virus Database services. After Capture ATP is licensed, you can view Capture ATP status in your MySonicWall account as well as configure and receive alerts and notifications. For further information about Capture ATP, licensing it, and using your MySonicWall account to configure and receive alerts and notifications, see the SonicOS Capture Advanced Threat Protection Feature Guide. The Capture ATP > Status page displays a graph and a log table that provide information for each file that has been scanned. Files can be uploaded to Capture ATP for scanning from this page by clicking the Upload a file button. Topics: About the Chart About the Log Table Uploading a File for Analysis Viewing Threat Reports About the Chart The chart shows the number of files scanned for each day. The X axis represents time and shows only the last 30 days, with a bar for each day. The Y axis represents the number of files scanned. The percentage of malicious files found is represented by the color of each bar in the chart. The legend shows the percentage of files that each color represents, from zero (light grey) indicating that no malicious files were found to bright red indicating that 100% of files were found to be malicious. The number of files scanned is shown below the chart. When you mouse over a bar, a popup message shows the actual numbers of files scanned and malicious files found on that day.

2 About the Log Table Status Date Filename Submitted by Src Dest Status of the scan: Scan pending The scan is in progress. Clean The scan has completed, but no judgment is confirmed yet. Scan failed The scan failed. MALICIOUS icon The scan has completed, and the judgment is malicious. Date the file was scanned. Name of the file. Serial number of the firewall that submitted the file to Capture ATP. IP address where the file originated. IP address where the file was sent. Below the graph, the log table shows information for each file that has been scanned. The log table allows you to scroll through the list of scanned files. If a scan fails, that row is dimmed. If a malicious file is found, that row is bolded and a red Malicious icon displays. Clicking on any row opens the threat report. The heading for this page is dynamic and can appear in one of two states, depending on whether filters are applied: When no filters are applied - Viewing n files scanned. When filters are applied - Viewing n files of y total scanned. The rows of the Date column can be sorted in ascending or descending order. The heading of the column used for sorting is black instead of grey. The selected sort order is persistent as filters are added or removed. Topics: Filtering the Display with a Filter Tag Filtering the Display for One Instance Filtering the Display with a Filter Tag IMPORTANT: The graph, log table, and filters are bound, and any interactions on one affects the others. To customize what is displayed in the log table: 1 Click the Add filter link. A popup dialog displays. 2 Select the criteria you want from the drop-down menus: a From the first drop-down menu, select the column name, such as Status (default).

3 b From the second drop-down menu, select the operator: is (default) or is not. c From the third drop-down menu, select the appropriate criteria for the selected column. What is displayed depends on what you selected from the first drop-down menu. 3 Click Add. A filter tag is displayed and the table results are updated immediately. 4 To add more filters, repeat steps Step 1 through Step 3. Only one type of filter can be applied to the log table at a time. To delete a filter, click the X in the filter tag. Filtering the Display for One Instance To filter for one instance: 1 Click on a single bar in the chart to set the filter for the log table to show the details of that bar (date) only. Uploading a File for Analysis You can manually upload files to be scanned by using the Upload a file button. To upload a file for scanning: 1 Navigate to Capture ATP > Status. 2 Click Upload a file. The Upload a file to be scanned dialog displays. 3 Click the Browse button. The Open file dialog displays. 4 Select a file and click Open. 5 Click Upload. A Success dialog displays. NOTE: If the upload fails, an error message is displayed, such as:

4 6 Click OK. The chart and log table are updated immediately. You can click on any file in the log table on the Status page and see the results from the detailed analysis of that file. Viewing Threat Reports When you click on any row in the log table on the Capture ATP > Status page, the Capture ATP threat report appears in a new browser window. The report format varies depending on whether a full analysis was performed or the judgment was based on preprocessing. Topics: Launching the Threat Report from the Log Table Viewing the Threat Report Header Viewing the Threat Report Footer Viewing Static File Information Viewing Threat Reports from Preprocessing Viewing Threat Reports from a Full Analysis Launching the Threat Report from the Log Table You can launch a threat report by clicking on any row in the log table on the Capture ATP > Status page. Mousing over a row highlights it, and you can click anywhere in the row to launch the threat report in a new browser window. NOTE: No threat report is launched for archives that do not contain any supported file types. Viewing the Threat Report Header The report header is very similar among the various threat reports. This section describes the header components and variations. The banner has two parts: An upper banner that is colored: Red for a malicious file. Blue for a clean file. The top entry displays the date and time that the file was submitted to Capture ATP for analysis. The bottom entry displays the IP address that downloaded the file. A lower banner that contains connection information: On the left is the IP address (IPv4) and port number of the connection source. This is the address from which the file was sent. In the middle is the firewall identified by its serial number or friendly name. On the right is the IP address (IPv4) and port number of the connection destination. This is the address to which the file is being sent. Viewing the Threat Report Footer

5 The report footer is very similar among the various threat reports. The File Identifiers are displayed at the left side of the footer, one per line: MD5 SHA1 SHA258 This information is displayed on the right side of the footer: Serial Number Capture ATP Version Report Generated Serial number of the firewall that sent the file. This is not displayed if the file was manually uploaded. Software version number of the Capture ATP service running in the cloud. Timestamp, in UTC format, of when the report was generated. Viewing Static File Information The static file information is displayed on the left side of the threat report and is similar across all types of reports: File size in kilobits (kb) File type File name as it was intercepted by the firewall Viewing Threat Reports from Preprocessing There are varying amounts of data on a preprocessor threat report, based on whether the file was found to be malicious or clean. A preprocessor report from a malicious file A preprocessor report from a clean file

6 A clean threat report is seen in either of the following two cases: Case 1 Case 2 Virus scans are inconclusive or all good. The file matches domain or vendor allow lists. Virus scans are inconclusive or all good. No embedded code is present in the file. Analysis Summary and Status Boxes in Preprocessor Reports Analysis summary Preprocessor threat reports contain an Analysis Summary section on the left side, which summarizes the findings based on the four phases of analysis during preprocessing. Status boxes The true/false results from the four phases of preprocessing are displayed in the status boxes. Four areas of preprocessor analysis shows what happens in the process depending on the result of each phase of the preprocessing. Preprocessor phase result Virus scanners detect malware Four areas of preprocessor analysis Vendor reputation on Allow list? 1 Domain reputation on Allow list? a Embedded code found in the file? True Malicious Non-malicious Non-malicious Continue analysis False Continue analysis Continue analysis Continue analysis Non-malicious 1 The vendor reputation filter is only applicable for PE files, and the domain reputation might not be available for files delivered over SMTP. In these cases, the Continue analysis state is the phase result.

7 Some phase results trigger an immediate judgment of either Malicious or Non-malicious, as indicated in Four areas of preprocessor analysis. Otherwise, that phase ends with the Continue analysis state. If all phases of preprocessing result in the Continue analysis state, the file is sent to the cloud for full analysis by Capture ATP. Malware names in preprocessor reports If the virus scanners detect known malware in the file, all malware names are listed in the content area of the report. Malware names Viewing Threat Reports from a Full Analysis Full analysis threat reports provide the same set of information for both malicious and non malicious files, although the banner color is different. This Threat Report format is used when the following conditions occur: Virus scans are inconclusive or all good. Embedded code is present in the file. The file does not match domain or vendor allow lists. Topics: Why Live Detonations Were Needed Status Boxes Analysis Engine Results Tables Why Live Detonations Were Needed

8 The left side of the full analysis threat report displays a summary of the preprocessing results as an explanation of why live detonations were needed. The term live detonations is used to indicate that one or more analysis engines and multiple environments were used to analyze the file in the cloud servers. Status Boxes Virus scanners This is the number of Anti-Virus vendors used, regardless of the judgment from each. SonicWall Gateway Anti-Virus and Cloud Anti-Virus each count as one. Additional virus scanners from many AV products and online scan engines are included in the total. Reputation databases One is the vendors allowed list. Detonation engines Live detonations One is the domains allowed list. Number of analysis engines used to analyze the file. One is the SonicWall analysis engine. Additional analysis engines from third-party vendors are included in the count. Total number of environments used across all analysis engines. The environment comprises the analysis engine and the operating system on which it was run. The status boxes in full analysis threat reports display status from preprocessing results as well as information about the analysis performed in the cloud servers. Analysis Engine Results Tables Under the status boxes, the full analysis threat report displays multiple tables showing the results from each analysis engine. The engines are designated by names from the Greek alphabet, such as Alpha, Beta, Gamma. Each row represents a separate environment and indicates the operating system in which the engine was executed. The overall score from the analysis in each environment is displayed in a highlighted box to the left of the operating system. The color of the box indicates whether the score triggered a malicious or non-malicious judgment: Red indicates a malicious judgment. Grey indicates a non-malicious judgment. For each environment, the columns provide the analysis duration and a summary of actions once detonated: Time Libraries Files Registries Processes Mutexes Functions Time taken by the analysis, using s for seconds, m for minutes, and timeout if the analysis did not complete. Cumulative count of malware libraries that were read during the analysis. Cumulative count of files that were created, read, updated, or deleted during the analysis. Cumulative count of OS registries that were read during the analysis. Cumulative count of processes that were created during the analysis. Cumulative count of mutual exclusion objects that were used during the analysis to lock a resource for exclusive access. Cumulative count of functions executed during the analysis.

9 Connection Cumulative count of network connections that were created during the analysis You can click any cell in the Summary of actions table to jump to the full data available further down in the report. Blank cells are not clickable. Clicking an item in the last column provides access to a file containing the full details of the analysis by the different engines and which you can open or save: XML Screenshots PCAP XML file of all the detailed data behind the above counts. Zip file of all the screenshots produced by the analysis. A packet capture file in pcapng or libpcap format with details about the connections opened during the analysis. Configuring Capture ATP Capture ATP > Settings About Capture ATP Activating the Capture ATP License Enabling Capture ATP About the Capture ATP > Settings Page Configuring Capture ATP Disabling GAV or Cloud Anti-Virus Capture ATP > Settings IMPORTANT: Capture Advanced Threat Protection (ATP) is an add-on security service to the firewall, similar to Gateway Anti-Virus (GAV), that helps a firewall identify whether a file is malicious. Capture ATP is supported on all SuperMassive Series, NSA Series, and TZ600 and TZ500/TZ500W firewalls running SonicOS or higher. Capture functionality, however, is not supported in Active/Active DPI mode. Before you can enable Capture ATP you must first get a license, and you must enable the Gateway Anti-Virus (GAV) and Cloud Anti-Virus Database services. After Capture ATP is licensed, you can view Capture ATP status in your MySonicWall account as well as configure and receive alerts and notifications. For further information about Capture ATP, licensing it, and using your MySonicWall account to configure and receive alerts and notifications, see the SonicOS Capture Advanced Threat Protection Feature Guide. Topics: About Capture ATP

10 Activating the Capture ATP License Enabling Capture ATP About the Capture ATP > Settings Page Configuring Capture ATP Disabling GAV or Cloud Anti-Virus About Capture ATP Topics: About Capture ATP Files are Preprocessed Blocking Files Until Completely Analyzed Files are Sent over an Encrypted Connection About Capture ATP Capture Advanced Threat Protection (ATP) helps a firewall identify whether a file is malicious by transmitting the file to the cloud where the SonicWall Capture ATP service analyzes the file to determine if it contains a virus or other malicious elements. Capture ATP then sends the results to the firewall. The analysis and reporting are done in real time while the file is being processed by the firewall. All files are sent to the Capture ATP cloud over an encrypted connection. Files are analyzed and deleted within minutes of a verdict being determined, unless a file is found to be malicious. Malicious files are submitted via an encrypted HTTPS connection to the SonicWall threat research team for further analysis and to harvest threat information. Files are not transferred to any other location for analysis. Malicious files are deleted after harvesting threat information within 30 days of receipt Capture ATP provides a file analysis report (threat report) with detailed threat behavior information. The firewall is located on your premises, while the Capture ATP server and database are located at a SonicWall facility. The firewall creates a secure connection with the Capture ATP cloud service before transmitting data. Capture ATP works in conjunction with the Gateway Anti-Virus (GAV) and Cloud Anti-Virus services. For further information about Capture ATP, see the SonicOS Capture Advanced Threat Protection Feature Guide. Files are Preprocessed All files submitted to Capture ATP for analysis are first preprocessed by the GAV service to determine if a file is malicious or benign. You can also use GAV settings to select or define address objects to exclude from GAV and Capture ATP scanning. Preprocessed files determined to be malicious or benign are not analyzed by Capture ATP. If a file is not determined to be malicious or benign during preprocessing, the file is submitted to Capture ATP for analysis. Blocking Files Until Completely Analyzed For HTTP/HTTPS downloads, Capture ATP has an option, Block file download until a verdict is returned, that ensures no packets get through until the file is completely analyzed and determined to be either malicious or benign. The file is held until the last packet is analyzed. If the file has malware, the last packet is dropped, and the file is blocked. The threat report provides information necessary to respond to a threat or infection. Files are Sent over an Encrypted Connection All files are sent to the Capture ATP cloud over an encrypted connection. SonicWall does not keep the files. All file types, whether they are malicious or benign are removed from the Capture ATP server after a certain time period. The SonicWall privacy policy can be accessed at Activating the Capture ATP License IMPORTANT: Capture ATP requires the Gateway Anti-Virus service, which must also be licensed. After the Capture ATP service license is activated, Capture ATP appears in the SonicOS left-hand navigation (left nav) panel below DPI-SSL. If Capture ATP is not licensed, it does not appear in the left nav at all. NOTE: Click on the Synchronize button on the System > Licenses page if Capture ATP does not appear shortly after the Capture ATP service license is activated. To activate the license, go to the System > Licenses page where you can view all service licenses and initiate licensing for Capture ATP. For more information about licensing, see Managing SonicWall Licenses. Enabling Capture ATP IMPORTANT: You must enable Gateway Anti-Virus and Cloud Anti-Virus before you can enable Capture ATP. When Capture ATP is licensed but not enabled, the banner displays this message: Capture ATP is not currently running. Please see the Basic Setup Checklist below for troubleshooting.

11 In disabled mode, the Basic Setup Checklist section is visible, but the other sections are dimmed. To enable Capture ATP: 1 Navigate to Security Services > Gateway Anti-Virus. 2 Enable both Gateway Anti-Virus (GAV) and Cloud Anti-Virus as described in Managing SonicWall Gateway Anti Virus Service. 3 Optionally, you can configure GAV and Cloud Anti-Virus settings, which also apply to Capture ATP. 4 Navigate to Capture ATP > Settings. If Capture ATP is not enabled, a warning message displays: 5 In the Basic Setup Checklist section, click (enable it) in Capture ATP subscription is valid until date but the service is not currently enabled.(enable it). The warning message disappears, and the status indicator becomes a green checkmark. About the Capture ATP > Settings Page Topics: Basic Setup Checklist Bandwidth Management Exclusions Custom Blocking Behavior Basic Setup Checklist The Basic Setup Checklist: Displays the status of Capture ATP and its components, GAV and Cloud Anti-Virus. Displays any error states that may be present. Allows enabling or disabling of the Capture ATP service. Provides links to the Security Services > Gateway Anti-Virus page for the GAV, Cloud Anti-Virus, and protocol inspection settings. Displays a matrix of the protocol inspection settings and whether the inbound and outbound directions have been enabled. NOTE: For messages that display in this section, see Capture ATP status through Protocols inspection settings. Enabled corresponds to a green checkmark, and Disabled corresponds to a red X. Capture ATP status Icon Message Link Action Enabled Capture ATP service is enabled until renewal_date. disable it Click the link to turn off Capture ATP and put the service in disabled mode. You do not need to click Accept to apply this change. Disabled Capture ATP subscription is valid until renewal_date but the service is not currently enabled. enable it Click the link to turn on Capture ATP and put the service in enabled mode. You do not need to click Accept to apply this change. Disabled Capture ATP subscription expired on renewal_date. renew it Click the link to go to MySonicWall to renew the service. Gateway Anti-Virus status Icon Message Link Action Enabled Gateway Anti Virus is Enabled. manage Click the link to display the Security

12 settings Services > Gateway Anti-Virus page. Disabled You must enable Gateway Anti- Virus for Capture ATP to function. manage settings Click the link to display the Security Services > Gateway Anti-Virus page. Cloud Anti-Virus database status Icon Message Link Action Enabled Cloud Anti Virus Database is enabled. manage settings Disabled You must enable the Cloud Anti- Virus Database for Capture ATP to function. manage settings Click the link to display the Security Services > Gateway Anti- Virus page. Click the link to display the Security Services > Gateway Anti- Virus page. The Inspected Protocols table also provides a manage settings link that takes you to the Security Services > Gateway Anti-Virus page. There, you can enable or disable inspection of specific network traffic protocols, including HTTP, FTP, IMAP, SMTP, POP, CIFS, and TCP Stream. Each protocol can be managed separately for inbound and outbound traffic. The table below Inspected Protocols displays the current inspection settings for each protocol, in each direction; see Protocols inspection settings. Icon Enabled Disabled n/a Message Protocols inspection settings Protocol is inspected. Protocol is not inspected. Inspection is not applicable to this protocol in this direction. Bandwidth Management The Bandwidth Management section enables you to select the types of files to be submitted to Capture ATP and to specify the maximum size of submitted files. You can also specify an address object to be excluded from inspection. By default, only the Executables (PE, Mach-O, and DMG) file type is enabled. The default option for the maximum file size is Use the default file size specified by the Capture Service (10240 KB). This specifies a file size limit of 10 megabytes (10 MB). If you select Restrict to KB, you can enter your own custom value. This value must be a non-zero value and must not be greater than the default limit. For Choose an Address Object to exclude from Capture ATP, optionally select an address object from the drop-down list, or select the option to create a new address object. Members of the selected address object will be excluded from inspection by the Capture ATP service. Exclusions The Exclusion section allows you to exclude an Address Object or MD5 hash function from Capture ATP. To exclude an Address Object: 1 Select the Address Object from the drop-down menu or create a new one. 2 Click Accept.

13 To exclude an MD5 file: 1 Click the MD5 Exclusion List Settings button. The Add MD5 Exclusions dialog displays. 2 Add the 32-hexadecimal-digit hash function to be excluded. 3 Click Add. 4 To add more than one file, repeat Step 2 and Step 3 for each hash function. 5 Click OK. 6 Click Accept. Custom Blocking Behavior The Custom Blocking Behavior section allows you to select the Block file download until a verdict is returned feature. The default option is Allow file download while awaiting a verdict. This setting allows a file to be downloaded without delay while the Capture service analyzes the file for malicious elements. You can set alerts or check the firewall logs to find out if the Capture service analysis determines that the file is malicious. The Block file download until a verdict is returned feature should only be enabled if the strictest controls are desired. If you select this feature, a warning dialog appears. NOTE: The Block file download until a verdict is returned option only applies to HTTP and HTTPS downloads. Configuring Capture ATP To configure Capture ATP: 1 Navigate to Capture ATP > Settings. 2 Ensure Capture ATP, GAV, Cloud Anti-Virus database, and relevant protocols are enabled. 3 In the Bandwidth Management section, select the file types to be analyzed by Capture ATP. By default, only Executables (PE, Mach-O, and DMG) is selected.

14 4 By default Use the default file size specified by the Capture Service (10240 KB) is selected. To specify a custom size, enter a value between 1 and in the Restrict to KB field. 5 Optionally, to exclude an Address Object from Capture ATP, select an Address Object from the Choose an Address Object to Exclude from Capture ATP drop-down menu. 6 Optionally, to exclude a file based on its MD5 checksum, click the MD5 Exclusion List Settings button to display the Add MD5 Exclusions dialog. a Add the 32-digit hexadecimal hash to the MD5 field. b Click Add c Repeat Step a and Step b for each file to exclude. d Click OK. 7 If you are analyzing HTTP/HTTPS files, in the Custom Blocking Behavior section, you can specify whether all files are to be blocked until analysis is completed. By default Allow file download while awaiting a verdict is selected. IMPORTANT: The Block file download until a verdict is returned feature should only be enabled if the strictest controls are desired. If you select this feature, a warning dialog appears. Clicking the: I agree, apply the setting button selects the Block file download until a verdict is returned option. You also must click the Accept button for the change to take effect. Never mind, do not apply link closes the dialog and leaves Allow file download while awaiting a verdict selected. 8 Click Accept. Disabling GAV or Cloud Anti-Virus You can disable the Gateway Anti-Virus or Cloud Anti-Virus services by clearing the checkboxes for them on the Security Services > Gateway Anti-Virus page. If you disable either service while Capture ATP is enabled, a popup message is displayed warning you that Capture ATP will also be disabled. Capture ATP stops working if either Gateway Anti-Virus or Cloud Anti-Virus is disabled. For example, if Gateway Anti-Virus is not enabled, the Capture ATP > Settings page shows You must enable Gateway Anti-Virus for Capture ATP to function, along with a manage settings link that takes you to the Security Services > Gateway Anti-Virus page where you can enable it.